CODEWITHSUNDEEP
apachesslmod-ssl
vaindil
vaindil

Reputation: 7854

SSLCertificateChainFile is obsolete

I'm on Apache 2.4.12, so SSLCertificateChainFile is now obsolete, and any intermediate certificates are supposed to be included in the server certificate file. I cannot figure out how to do this, however--any combination of certificates other than only the site certificate inside the specified file causes an invalid key error. How do I properly include the intermediate certificate inside the file that I specify using SSLCertificateFile?

Upvotes: 11

Views: 26759

Answers (2)

Jonathan Y.
Jonathan Y.

Reputation: 556

Taken from the Apache 2.4 Module mod_ssl documentation:

SSLCertificateFile Directive

The files may also include intermediate CA certificates, sorted from leaf to root. This is supported with version 2.4.8 and later, and obsoletes SSLCertificateChainFile.

What this means is that the SSLCertificateFile directive now (after 2.4.8) accepts files with a full certificate chain (from leaf to root). If you have your server certificate in domain.crt and the CA chain file in domain-ca.crt, you'd need to concatenate both files from leaf to root, i.e. starting with your server certificate, as in

cat domain.crt domain-ca.crt > bundle.crt

and use that file inside your site's conf file:

SSLCertificateFile      /path/to/bundle.crt

(For example, using Ubuntu default path, these files will be stored at /etc/apache2/ssl/.)

Upvotes: 12

Christian
Christian

Reputation: 326

For Apache 2.4.8, SSLCertificateChainFile has been made obsolete. However, it's just deprecated and not removed, so you may continue to use the older style. However, for Apache versions > 2.4.8, SSLCertificateChainFile will not work.

SSLCertificateChainFile is deprecated

SSLCertificateChainFile became obsolete with version 2.4.8, when SSLCertificateFile was extended to also load intermediate CA certificates from the server certificate file

source: https://httpd.apache.org/docs/2.4/mod/mod_ssl.html#SSLCertificateChainFile

Old Style (Valid on Apache <= 2.4.8)

#SSL Directives
SSLEngine on
SSLCertificateFile /etc/ssl/certs/<mydomain.com>.crt
SSLCertificateKeyFile /etc/ssl/private/<mydomain.com>.key
SSLCertificateChainFile /etc/ssl/certs/<full-chain-bundle>.crt

source: How to Install an SSL Certificate on Apache

New Style (Valid on Apache >= 2.4.8)

#SSL Directives
SSLEngine on
SSLCertificateFile /etc/ssl/certs/<full-chain-bundle>.crt
SSLCertificateKeyFile /etc/ssl/private/<mydomain.com>.key

source: https://codesport.io/lamp-stack-advanced/lets-encrypt-tutorial/#vhost-config

Upvotes: 6

Related Questions